Unsecure laptops still a major security threat for healthcare

More than 63 percent of laptops have deficiencies of users storing data locally rather than accessing the organization’s programs and data via secure, virtual desktop software, a new report shows.

Laptops are still one of the components that pose the greatest risk for a cyber intrusion for healthcare systems, according to a report from the Clearwater CyberIntelligence Institute.

The institute found endpoint data loss, excessive user permissions, and dormant accounts make up 70 percent of all high and critical risk scenarios for laptop vulnerabilities at hospitals and health systems across the country.

The results indicated endpoint data loss in particular remains so high because of continued deficiencies in data loss prevention tools and data storage vulnerabilities.

For example, the study revealed more than half (52.7 percent) have deficiencies in data loss prevention tools, which are designed to scan all communications traffic to keep sensitive data from being sent to unauthorized users.

In addition, 63.3 percent of laptops have deficiencies of users storing data locally rather than accessing the organization’s programs and data via secure, virtual desktop software.

Most troubling, nearly all (98.9 percent) of laptops were found to have deficiencies in locked down external ports like USB, CD, DVD or firewire, ports, which would otherwise prevent users from exporting sensitive data to external storage media.

"It may seem like a given, but the questions that hospitals and health systems need to be constantly considering are, do we know for certain that the security measures we have adopted for these things have been properly implemented," said Clearwater’s Jon Stone, who leads CCI and serves as senior vice president for product innovation said in a statement. "Further, do the risk ratings associated with these controls bring the right level of attention to these major risks?"

Together, the top three areas of vulnerability account for nearly 37 percent of all critical risk scenarios, according to the report.

In January 2018, a laptop of a Coplin Health Systems employee was stolen from a car in November, serving as a reminder to healthcare organizations to encrypt all data that physically leave the building.

Coplin had to notify 43,000 patients of a potential data breach due to the theft, and officials disabled the computer’s access to the organization’s network and have continuously monitored systems for unauthorized access.

In March 2016, North Memorial Health Care of Minnesota was hit with a $1.55 million settlement with HHS stemming from the 2011 theft of an unencrypted laptop from a business associate’s workforce member’s vehicle.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.